Intrusion detection system in software defined wireless sensor networks

(1)

Intrusion detection system in software defined wireless

sensor networks

Alfred Tebogo Kgogo

orcid.org/0000-0001-6316-0544

Dissertation submitted in fulfilment of the requirements for the degree

Master of Science in Computer Science

at the North West University

Supervisor:

Dr B.E. Isong

Co-Supervisor: Prof B.M. Esiefarienrhe

Co-Supervisor: Dr Adnan M. Abu-Mahfouz

Graduation ceremony : April 2019

Student number : 24600857

(2)

i

DECLARATION

I, ALFRED TEBOGO KGOGO, hereby declare that this research project entitled “Intrusion

detection system in software defined wireless sensor networks” is my own work carried out at

the North-West University, Mafikeng Campus and has not been submitted in any form for the award of a degree to any other university or institution of tertiary education or published earlier. All the material used as source of information has been duly acknowledged in the text.

Signature: Date:

Alfred Tebogo Kgogo APPROVAL

Signature: ______________________ Date:

Supervisor: DR B.E Isong

Department of Computer Science North West University

Mafikeng Campus South Africa

Signature: _____________________ Date: _______________________

Co-supervisor: Prof B.M B. Esiefarienrhe

Department of Computer Science North West University

Mafikeng Campus South Africa.

Signature: _____________________ Date: _______________________

Co-supervisor: Dr Adnan M. Abu-Mahfouz CSIR

Pretoria South Africa.

(3)

ii

ACKNOWLEDGEMENTS

Firstly, I would like to give thanks to the ONE who is above all, GOD, for the strength and encouragement He gave me to complete this research project. Thank you Lord.

Secondly, the inspiration, guidance, motivation, even patience and friendliness I received from my Supervisor Dr B. Isong is priceless, I am truly grateful. God bless you abundantly.

Also, my parents and my siblings for always being there for me, the support that you showed me I really appreciate it, without you I would not have completed this project.

Thirdly, my gratitude goes to all the staff members at the Department of Computer Science, North-West University, Mafikeng Campus, for their academic advices given to me throughout the period of this research, and their comments during my progress report that helped me in adjusting and correcting this research project.

I would also like to extend my gratitude and thanks to CSIR for providing me with financial assistance and for that I am grateful. To Dr Adnan M. Abu-Mahfouz your guidance is appreciated.

Last but not the least, and most importantly, I thank all my colleagues in the Computer Science: Thulani, Oratile, Warren and Rodney, as I would always share my challenges with them and with patience they would help where they could, without you this project and programme would not have been possible, and So I Salute you.

(4)

iii

ABSTRACT

Software defined wireless sensor network (SDWSN) is a network paradigm recently developed for dynamic and secure control of smart devices and the future of Internet of Things. It employs innovation, ease of network management and configuration of software defined networking to address the inherent challenges that wireless sensor networks (WSN) faced due to the decoupling nature of the control and the data planes. However, SDWSN is not immune to the challenges it was designed to solve, specifically, security threats and attacks. In particular, SDWSN does not have the major security component of the network such as middle box and transport layer security which makes it more vulnerable to threats and attacks emanating from network intrusions. Moreover there is no active mechanism in place to monitor the network and make it alert and proactive at all times.

This challenge is addressed in this research by proposing an Intrusion Detection System (IDS) for SDWSN using Machine Learning (ML) technique. To identify which ML is more effective and efficient in the detection of threats and attacks, we performed classification experiments using algorithms such as Decision Tree (DT), Support Vector Machine (SVM) and Logistic Regression (LR). These algorithms were used to identify network packets and classify them as normal and anomaly network packets. The experiment was performed in Waikato Environment for Knowledge Analysis (WEKA) using the KDD Cup’99 dataset with 18 selected features.

The obtained results show that SVM model is the most effective ML algorithm followed by DT in terms of detection rate of both the normal and anomaly instances. On the basis of efficiency, DT produced 77.43% and 22.57% accuracy for correct and incorrect classification respectively as well as minimum time for classification in both training and testing. From these results, we conclude that DT is more efficient and effective in the detection of network intrusions in real-time so that the SDWSN can at all time be alert and proactive. This research produced an IDS framework for SDWSN based on DT model. The researchers defined the IDS components and discussed the functioning of each components that contribute to ensuring that only non-malicious packets are allowed into the SDWSN. This was achieved by monitoring the network resources and being able to identify and block any form of intrusions and attacks. Security is an important component of the network. Therefore, it is important that the network is alerted and proactive at all time to avoid violation of integrity, confidentiality and availability or cases of network failure due to attacks by intruders. The essence is to ensure that the SDWSN is secured and dependable. Moreover, the researchers also recommended similar study on other ML algorithms and the actual implementation of the IDS in a real-world SDWSN.

(5)

iv

List of Figures

Figure 1.1: Basic SDWSN architecture as currently applied by various studies [16] ... 4

Figure 1.2: Broad classification of various issues in a WSN [21]. ... 5

Figure 2.1: Basic architecture of OpenFlow[33] ... 12

Figure 2.2: WSN architecture [49] ... 15

Figure 2.3: Logical IDS Component[52] ... 18

Figure 2.4: generic NIDS functional architecture[52] ... 18

Figure. 3.1. Confusion matrix ... 35

Figure 3.2: Weka interface ... 37

Figure 3.3. Proposed method ... 41

Figure 4.1: The cost and benefits analysis of DT anomaly class. ... 47

Figure 4.2. DT visualization in Weka ... 49

Figure 4.3: Cost and benefits analysis of SVM anomaly class. ... 50

Figure 4.4. Cost and benefits analysis of LR anomaly class ... 52

Figure 4.5: Accuracy rate of the selected learning machines models. ... 55

Figure 5.1: Proposed IDS system architecture/engine. ... 61

Figure 5.2. Intrusion detection process ... 61

Figure 5.3. Intrusion detection algorithm... 62

Figure 5.4. Algorithm for attack severity identification ... 64

Figure 5.5: IDS blocked notification... 65

Figure 5.6. Blocking algorithm. ... 65

Figure 5.7. The proposed IDS workflow. ... 66

(10)

ix

List of Tables

Table 2.1 SDN Security challenges and countermeasures ... 20

Table 2.2. Security Requirements of SDN [32] ... 24

Table 2.3. Threats Inherited in the SDN [32] ... 25

Table 2.4: Various intrusion detection system ... 25

Table 3.1. Types of attacks identifiable in KDDCup’99 dataset [92] ... 31

Table 3.2. Basic features of individual TCP connections [92] ... 38

Table 3.3: Content features within a connection suggested by domain knowledge [92] ... 39

Table 3.4: Traffic features computed using a two-second time window [92] ... 39

Table 4.1: Descriptive statistics training dataset ... 44

Table 4.2: Descriptive statistics of testing dataset. ... 45

Table 4.3 – DT testing results ... 47

Table 4.4. Detailed Summary generated by Weka for Decision Tree ... 48

Table 4.5. DT summary of Training and testing results ... 48

Table 4.6 – SVM testing results ... 50

Table 4.7. Detailed Summary generated by Weka for Support Vector Machine ... 51

Table 4.8. SVM summary of Training and testing results ... 51

Table 4.9 – LR testing results ... 52

Table 4.10. Detailed Summary generated by Weka for Logistic Regression ... 53

Table 4.11. LR summary of Training and testing results... 53

Table 4.12. List of features used ... 54

Table 4.13. Model’s accuracy rate summary ... 55

Table 4.14. Time complexity for training and testing ... 55

Table 4.15: Theoretical model evaluation... 57

(11)

x

List of Acronyms

SDN: Software Defined Network WSN: Wireless Sensor Network

SDWSN: Software Defined Wireless Sensor Network IDS: Intrusion Detection System

DoS: Denial of Service

IPS: Intrusion Prevention System

MEMS: Micro Electro Mechanical Systems ML: Machine Learning

SVM: Support Vector Machine DT: Decision Tree

LR: Logistic Regression TLS Transport Layer Security BS Base Station

API Application Programming Interface DIDS Distributed Intrusion Detection System IoT Internet of Things

LR-WPAN Low Rate Wireless Personal Area Network NIDS Network Intrusion Detection System HIDS Hybrid Intrusion Detection System

DARPA Defence Advance Research Project Agency SMO Sequential Minimal Optimization

WEKA Waikato Environment for Knowledge Analysis SOM Self Organising Map

TCP Transmission Control Protocol TP True Positive

FP False Positive TN True Negative FN False Negative QoS Quality of Service

(12)

1

Chapter 1 Introduction and Background

Chapter Outline

This chapter briefly introduces this research. Here, the problem the research is defined as well as the research aim and objectives. Moreover, the research questions are stated and the different research methodologies explained.

1.1 Introduction

Recent innovations in Micro-Electro-Mechanical Systems (MEMS) technology have made the development of tiny sensor devices easy and more useful [1]. In particular, MEMS and Wireless Sensor Networks (WSNs) technologies have evolved swiftly and attracted tremendous attention from both the academic and industrial fields. The technology supports several types of applications in both the military and civilian fields. The sensors networks are made of several number of sensor nodes which are sometimes placed in a field that is not secured. Each sensor has the responsibility of sensing a specific event and sends the sensed data to the central node. The central node is also known as the Base Station (BS). In addition, the sensor nodes can work together as a group to execute certain tasks or to share information [2]. Currently, WSN has two deployable architectures which are: hierarchical and the distributed flat architecture [3].

In the perspective of the WSNs, like other networks, are vulnerable to attacks. Thus, they are linked to many security challenges [4–6]. For instance, spoofing threat in WSNs has the ability to manipulate the network routing information, collect passive information, subvert nodes and perform several attacks such as sinkhole, Sybil, DoS and jamming [7,8]. Figure 1.2 show Broad classification of various issues in a WSN. Nevertheless, data authentication, confidentiality, integrity, availability, and redundancy are crucial security requirements of WSN that need to be protected in any of the WSN systems or applications. Specifically, security has become a problem to WSN because it has widespread applicability including battlefield surveillance, building monitoring, and in critical systems such as airports and hospitals [8].

The idea of Software Defined network (SDN) has brought more changes into the technical and the economic outlook of networking and telecommunications networks after only a few years from its inception. The idea of SDN has been adopted in data centres and cloud computing services, whose private network operations constituted the perfect hatchery for such innovation [9]. SDN presents

(13)

2

the possibilities of quick advancement, hardware independence and centralized control networks. The separation or decoupling of the controller and data plane in SDN affects the design of the firewall system and permits the logic and policies of the firewall to be executed in control plane while the switches execute the switching and filtering operation based on the configured rules [10]. Thus, SDN technology makes network management simple and allows innovation through decoupling and network programmability [11]. The controller utilizes the interface and manage the control of network resources in a logically centralized way. Additionally, SDN manages the distributed network resources and supplies the view that is abstracted from network resources for the SDN applications [12]. In a typical SDN architecture like the OpenFlow-based architecture, three main planes are important; such as the application plane, control plane, and data plane as well as the two Application Programming Interfaces (APIs) which are the northbound and southbound interfaces. A high-level discussion is presented as follows:

The application plane: This plane is responsible for hosting services and managing application

execution that utilises network resources. Such programs include security monitoring, access controls, intrusion detection and prevention systems, etc. These programs are used to directly, explicitly, and programmatically share the expected network behaviour and requirements with the SDN controller via the north-bound.

The control plane: The control plane comprises a unique network component named SDN

controller, and it is logically centralized but in principle it is distributed. The controller is a brain of the network and maintains active communication with network devices with functions such as start, end, add, delete or modify flows rules and paths, provide abstract view of the entire network, etc. The controller controls the entire network and provides programmatic interfaces to the underlying network.

The data plane: Data plane is also known as the forwarding plane which is tasked with

implementing the management operation of the controller via network devices such as switches, routers, sensors, etc. These SDN-enabled network devices are utilised for data forwarding, network information collection and sharing with the control plane using the southbound interface.

The APIs: The APIs are mainly the northbound and the southbound interfaces as follows:

i. Northbound interface: The northbound API as it is also called, is used for facilitating

communication between the network applications and the control plane. The interface is specifically used for supporting application or service orchestration, automation, and innovation.

ii. Southbound interface: This interface or API is in between the data and the control planes and is

(14)

3

is used to support the overall programmatic control of the forwarding plane, provide notification of events, capability advertisement, and network statistics reporting.

Despite the benefits offered by SDN, the network technology is also faced with a series of security challenges which have affected its widespread adoption. These security challenges affect mainly the SDN architecture such as predefined mandatory policies evasion which results in overwriting flow entities, hijacking of an application server and the insertion of the fraudulent flow entities to facilitate data eavesdropping, etc. [13,15]. Kreutz et al. outlined different types of security threats on the SDN namely: Forged or faked traffic flows, SDN equipment fault and vulnerabilities, attacks on control plane communications, controller and application vulnerabilities and lastly, the lack of trust between the controller and SDN applications. Moreover, Alsmadi and Xu stated some of the SDN security threats namely, spoofing, tampering, repudiation, DoS etc.

As one of the applications of SDN, Software Defined Wireless Sensor Network (SDWSN) has emerged as a network model which resulted from the combination of SDN and WSN [16]. SDWSN is envisaged to address the several setbacks of WSN in terms of network complexity and inflexibility. It can be used to advance the efficiency, sustainability of WSNs, promote compatibility and interoperability with other networks as well as play a vital role in the future of IoTs [17]. Figure 1.1 shows the basic OpenFlow-based SDWSN architecture as has currently been proposed in [16]. Given the importance and the critical role of WSN in the modern society, it is vital to secure it and make sure that it is dependable. The main approaches to implement SDN in WSN include: Flow-Sensor, Sensor OpenFlow, TinySDN [18] and SDN-WISE [19].

(15)

4

Routing Security Load balancing application x

Controller n Controller 2 Controller 1 Programming interface Flow rules generation Mapping function Sensor 2 Sensor m Abstraction Flow table Match Counter Action

In-net processing

Data generation

Power Sensor Radio

Northbound API Southbound API Application plane Control plane Data plane

Figure 1.1: Basic SDWSN architecture as currently applied by various studies [16]

Security is an important tool for every network and SDWSN is not an exception. SDWSN also faces many security challenges that were inherited from SDN and WSN. Security in the SDWSN is still in its early stages and several researchers have done much work in SDN and WSN respectively. However, some of the security solutions on SDN and WSN can be applied to SDWSN and some cannot. The main reason is that, SDWSN does not have major security components such as middle boxes and Transport Layer Security (TLS) and this makes it more vulnerable to threats and attacks. Even if the network attacks are noticeable in the entire network, the controller is the important entity that is mostly attacked because it is the intelligence of the network and being centralized, poses as a single point of failure. Furthermore, denial of service (DoS) attacks and intrusion attacks are more popular in SDN-based wireless networks. However, some solutions have been proposed to minimize the attacks on SDWSN but they have not managed to completely eliminate them [17].

The advantage of SDWSN is that it increases network security with its ability of filtering traffic flows based on packet contents or network states [20]. However, in the traditional networks, such functions normally require additional security modules whereas in SDWSN they can be naturally supported. Additionally, the separation between the control and data plane in SDWSN gives several advantages and it also introduces more risks which makes the network to be more vulnerable to attack vectors than the traditional networks [20].

(16)

5 Applica tions

Se nsor Te chnology Se rvice s

Loca liza tion Cove ra ge Se curity Synchroniza tion Da ta Aggre ga tion Cross-la ye r Optimiza tion Communica tion Protocol Tra nsport La ye r Ne tw ork La ye r Da ta Link La ye r Syste m Pla tform Ope ra ting Syste m

Support Pe rform Eva lua tion

Stora ge

Figure 1.2: Broad classification of various issues in a WSN [21].

Intrusion detection systems (IDS) are computing components that are equipped with the capability of monitoring the network or the system to see if there is any intrusion or attack that is trying to disrupt the confidentiality, integrity or availability of a resource [22]. One of the importance of IDS is that it monitors the network and improves the user’s activity to detect intrusions. It is an essential part of security for resource constrained wireless networks as they are geared towards high survivability networks [23]. IDSs are important aspects of the network as they safeguard the integrity of the network because intruders pose a serious threat to the security of the network. It represents an important weapon in the realm of system security geared against different types of attacks. Generally, IDSs are focused with classifying what is normal and what is abnormal [24]. IDS in the network is important because Intrusion Prevention System (IPS) alone is not enough to ensure the protection of system resources. In addition, as the system becomes scaled and as security appears less concerned in the minds of people, exploitable vulnerabilities in the system are always utilized as a result of errors originating from the design, programming as well as various penetration techniques from social engineering. At present, IDS has a widespread applications in different networks such as in WSN, Ad hoc networks, SDN and other different or related fields [25, 26].

Given the critical context in terms of SDN, WSN and IDS, it is therefore important to protect the SDWSN from diverse attacks that bugs the networks. This however, forms the motivation of this

(17)

6

research. In essence, this research was carried out to design and implement an intrusion detection system for SDWSN. The scholars believe that, if the network becomes fully aware of intrusions and deadly attacks, it could easily protect itself against such threats and attacks.

1.2 Problem Statement

WSNs are vulnerable to growing security attacks and threats which are inept for the current traditional security mechanisms to cope with or mitigate such security challenges [27]. SDWSN was introduced to bring flexibility, programmability and innovation in the WSN. However, it is faced with a multitude of security challenges inherited from both SDN and WSN which have become a bottleneck to its operations and widespread adoption and application [27]. In particular, major security components are not found in SDWSN since security was not considered in the initial SDN architecture. Consequently, this makes SDWSN more prone to security attacks. Such components include the middle boxes and transport layer security (TLS) [27]. Given the multitude of threats and attacks to the SDWSN, DoS attack and intrusion attacks are among the most prominent and popular attacks that can cripple SDWSN [27]. These attacks pose a serious danger to the SDWSN controller which is the brain of the entire networks. The centralized controller also poses a single point of failure in the network and is the most targeted component for attacks. Thus, if the controller is attacked, the whole network will fail.

Today, security has been considered as a very critical architectural concern especially in this Internet-oriented world where almost everything is considered connected. Despite several innovations and research, security is still a very open area that requires continuous improvements. In the perspective of networks, several research works have been conducted in the academia and industry and most of them addresses security in the SDN and the traditional WSN network respectively. Some of these security approaches can be applied to SDWSN while others are considered infeasible. Moreover, with the characteristics of WSN in particular, existing security techniques infeasibility in SDWSN are a direct consequence of the inherent constraints in WSN such as inflexibility in management, nodes prone to attacks, memory, energy and access of nodes after deployment. Though some security solutions have been offered in the perspective of WSN such as authentication, key exchange, routing protocols etc., the solutions can prevent a few attacks but not all. Moreover, security research in the SDWSN has received less attention and there are no effective mechanisms used to detect intrusions in the technology. Thus, it is against this backdrop that the network finds it difficult to be proactive and alert. To this end, one of the viable solutions to deal with the security related issues in SDWSN is to employ IDS [28].

(18)

7

Given the stated security challenges in the SDWSN, it is therefore, important that the network becomes proactive and alert about multiple potential attacks trying to harm it. Consequently, it is paramount to design and implement a generic mechanism to detect threats and attacks launched by attackers and other intruders. Hence, the choice of an IDS that is capable of monitoring the network and detect diverse threats and attacks that target the networks maliciously.

1.3 Research Questions

To achieve the research aim and solve the stated research problem, the scholars have to find solutions to the following questions:

RQ1: What are the security challenges that affects SDN and WSNs and the state-of-the art in IDS?

To answer RQ1, the following sub questions are asked

RQ1.1: what are the current security issues in WSN and SDN?

RQ1.2: what is the state-of-the-art and practice of IDS in the SDN and WSN?

RQ2: How can we design a generic IDS to provide effective security for SDWSN? RQ3: How can we evaluate the effectiveness and performances of the designed IDS?

1.4. Research Aim and Objectives

1.4.1 Aim

The aim of this research is to design a generic IDS that is capable of detecting multiple network-based attacks and threats in the SDWSN.

1.4.2 Objectives

To answer the above research questions and meet the stipulated aim, the objective of a developed generic IDS that is capable of detecting multiple network network-based attacks and threats in SDWSN shall be achieved as follows:

R1: Carry out in-depth study and analysis on SDN, WSN and related studies, SDN security and intrusion detection systems for network applications.

R2: Design an intrusion detection system framework for SDWSN based on machine learning techniques.

R3: Carry out simulations or theoretical assessment where possible to evaluate the performance of the proposed IDS.

(19)

8

1.5. Research Relevance and Contributions

The main contribution of this research is to provide a preventive and proactive security measure for SDWSN. That is, an IDS to assist SDWSNs to be more alert and proactive at all time against all forms of security attacks and intrusions. The IDS will act by detecting these intrusions and threats which try to enter into the network to cause damages using machine learning technique. Thus, the IDS will block them before they can negatively manipulate or destroy the network. This indeed, will help realize the impeccable benefits of the SDWSN, make it more secured, dependable and increase its application.

1.6 Methods of Investigation

1.6.1 Methodology

In this work both qualitative and quantitative research were adopted. Thus, the methodology include the following: The literature which was reviewed in order to try to identify the problem and establish the existing works in IDS and SDWSN; The analysis of statistical data that contains numeric. The training data were used for the training of the machine learning models and later used to classify normal and abnormal instances. The following steps were taken to implement the constructive methodology:

a. Problem identification through the reviewing of existing literature.

b. Getting more information about the topic.

c. Showing that the problem can be resolved and how it can be solved.

d. Perform a series of experiments to evaluate the performance of several machine learning algorithms.

e. Illustrating the impact and contributions this study is making to the Software Defined Wireless Sensor Networks.

f. Theoretical evaluation of the proposed model and the results obtained.

The literature illustrated that there is a need to protect the network and that there is still much work to be done on the security aspect of the SDWSN network as it is still in its infant stage of development as a network, as the problem statement has indicated.

This study will solve the problem by proposing a suitable IDS that will be able to detect intrusions in the network. Series of experiments will then be used to evaluate the performance of the models.

(20)

9

Theoretical evaluation of the results of the proposed model is used to show the effectiveness of the proposed model.

1.6.2 Methods

Framework Design: This research work employed framework design as the appropriate research

method. The proposed framework is an IDS and supports the idea of cooperative defence by IDS in SDWSN horizon. The framework uses an ML model called Decision Tree (DT) to classify normal and anomaly instances from the specific numerical data in network packets. The framework is designed to ensure that there is a secure communication within the network, making sure that there is an effective utilisation of network resources and a guarantee only authorized and uncompromised access to the network.

1.7 Research Scope and Limitations

This research will evaluate three ML algorithms to measure their performance and effectiveness. The one which is proven to perform better will be used to design the Intrusion Detection framework for SDWSN. This research will not implement the IDS after designing it due to time and resource constraints.

1.8 Research Output

This subsection presents the research work or output that has been presented and published in an International Conference:

1. Kgogo, T., Isong, B. and Abu-Mahfouz, A.M., 2017, September. Software defined wireless sensor networks security challenges. In AFRICON, 2017 IEEE (pp. 1508-1513). IEEE.

1.9. Thesis Organization

This research is divided into the following chapters:

Chapter 2 - Literature review: Presents a detailed background information about SDN, WSN, and

SDWSN with respect to the existing literature. Furthermore, it explains the security challenges in the networks. The chapter also provides a detailed explanation of IDS and its benefits.

Chapter 3 Methodology and design: Presents the methodology, research tools and experimental

setup used to determine the best technique to detect intrusion in SDWSN. It further explores IDS techniques, the machine learning algorithms, and data collection approaches. Finally, it provides the overall methodology adopted in this research.

Chapter 4 - Results & Discussions: This chapter presents the results, analyses and detailed

(21)

10

Chapter 5 - Proposed SDWSN Intrusion Detection System: This chapter presents the design of the

proposed framework; an IDS for SDWSN based on the adopted ML algorithm.

Chapter 6- Summary, Conclusions and Future Work: Presents summary, conclusions and

recommendations for future work in this research topic.

1.10 Chapter Summary

This chapter introduced the research. It presented the statement of the problem, the questions to be answered and outlined the main aim and objectives of this research. The chapter further discussed the different research methodologies employed and provided a rationale and justification for the research.

(22)

11

Chapter 2 Literature Review

2.1 Chapter Overview

This chapter presents detailed background information about WSN, SDN and SDWSN with respect to the existing literature. Furthermore, it explains the security challenges in the above mentioned networks paradigm and provides a detailed explanation of IDS and its benefits.

2.2 Software Defined Networks

SDNs are network Paradigms that are created to handle the inherent limitations such as flexibility within the existing traditional network management [29, 30, 31]. SDN is a network technology where network management is made easier and allows it to be dynamically controlled, changed and behaviour-managed through a technique called network programmability[29, 32]. The reason behind the development of SDNs was to make innovation, the programmability of the network management, and control easy. It functions on an architecture that brings the separation between the data and the control plane via the OpenFlow interface. SDN has recently gained attention and has received widespread applications.

SDN has been existing and evolving since 1996. It was encouraged by a desire to have a network that can be easily managed by the user [33]. There has been implementation that has been done by the industry and the research groups. Ethane is an architecture for security that merged simple flow-based network switches to enable the controller to manage the entries and flows [33-34]. OpenFlow allows entries that are on the Flow Table to be defined by the server that is external to the switch. SDN focuses on four key features and a typical OpenFlow architecture is shown in Figure 2.1:

1) The decoupling of the control and data planes.

2) A centralized controller provides a global and an abstract view of the network. 3) Open interfaces between the control plane and the data plane.

(23)

12

Figure 2.1: Basic architecture of OpenFlow [33].

2.2.1 Software Defined Networks Architectural Characteristics

The goal of SDN is to provide openness, centralization, decoupling, programmability, flow-based and the dynamic network switching mechanisms [35]. These characteristics are discussed as follows:

A. Open control: Traditional networking elements like switches and routers are considered

vendor-specific. They provide only limited capabilities to experiment real network traffics using their own networking protocols. With the SDN, the developers can build middle-boxes that ensure communication between the controller and the network devices. Many controller platforms are open sources, such as Open Day-Light, Floodlight, Ryu, and Beacon [36].

B. Centralized control: Different network devices are controlled centrally by a logical centralized

controller. In terms of design, this is about separating “the what” from “the how”. Such architecture is able to handle dynamic network instances.

C. Decoupled control: in this case, network functionalities are separated and dedicated, that is, tasks

related to control and data. This separation increases the overall reusability and maintainability as well as ensuring flexibility of the network in terms of management and configuration. For instance, network policies are separated from rules. However, the security policies at user level should be expressive in nature while the rules which are at the network level should be simple and close to

(24)

13

attributes of the network. Moreover, the virtual or logical network in the SDN is separated from the physical network.

D. Programmable controller: Constitutes the main characteristics of SDN where the controller is

being programmed by user level applications or middle-boxes [15]. That is, developers can make modifications to open source controller modules. Programmability technique can improve the SDN better than writing applications or making changes to controller functions. It has the capability to provide administrators the rights to write policies and monitor OpenFlow networks.

E. Flow-based management control: This capability moves the network from the usual way of IP

addresses to the flow-based management and control. Flow-level control being technically possible in traditional networks, in the SDN, routing protocols makes decisions based on IP addresses. In switches, forwarding decisions are made based on flows in the flow-based architecture of SDN and records or rules are per flow [35].

F. Dynamic control: Due to programmability, there are great dynamics and flexibility in the

handling of frequent changes in rapid response to activities and dynamic decision making.

2.2.2 SDN Planes and Layers

This section discusses the different planes of SDN as shown in Figure 2.1:

A. Data Plane: Data plane is found at the bottom and consists of network devices such as the

switches, sensors, routers, access point etc. These devices can easily be accessed and managed via the southbound API by the SDN controller(s). The southbound API ensures communication between the network elements and controller(s) and facilitates connections such as the TLS. Currently, the OpenFlow protocol is the most dominant standard southbound API used [37].

B. Controller Plane: Depending on the architecture, the SDN controller plane depending on the

architecture, has one or multiple SDN controller(s) to control the network and provide its global view or forwarding behaviour [38]. The controller is in between the application and data planes and uses interfaces to communicate with them. The southbound API is situated in between controllers and network devices (C-DPI), and the northbound API between the controllers and applications. These API ensures that smooth communication is possible and ensure network security, management etc. SDN controller comprises two components: Functional components and control logic which match network application requirements into instructions for the resources of the network element [37].

(25)

14

C. Application Plane: SDN application plane houses several nework applications (e.g. security,

visualization etc.) that communicate with controller(s) or consume the network resources such as abstract view of the network for decision making. They communicate with the controller(s) through an open northbound API. The SDN application is composed of an SDN App Logic and API driver [37].

2.3 Wireless Sensor Networks

The development of a smart sensor recently has triggered the advancements in WSNs [39]. WSNs comprises micro-sensors which have the ability to monitor physical and other environmental conditions such as temperature, humidity, vibrations, motions, seismic events etc. [40], [41]. The wireless connection of WSN condones the creation of ad hoc networks even without first initiating physical infrastructure or management. The knowledge of nodes positions makes it simple to increase more useful and essential functions like the specific area sensing as well as the integration of network efficiency [42], [43]. Thus, the localization of node is a key component for several WSNs applications [44], [45]. WSN is utilised to decrease the space between the physical world and the virtual world of electronic computers [8]. The importance is that it has the potential to create proper cost-effective solutions for fields like military, medical, and various Smart City, Smart Grid and Smart Water System [46, 48]. Additionally, the introduction and proliferation of technologies such as IoT and so on has skyrocketed the demand of WSNs as well as research and development activities in thefield of WSNs in recent years.

2.3.1 Wireless Sensor Networks Communication Architecture

In WSN, sensor nodes are usually deployed in environments considered to be hostile to humans and every sensor node is equipped with the capability to collect data and route data back through multi hop infrastructure less architecture through the sink to end users [49]. Moreover, a sink may be linked with the task manager node through Internet or Satellite. Figure 2.2 shows the protocol stack employed by all sensors. The stack ensures efficient power consumption, routing awareness, integrates data with networking protocols, communicates power efficiently through the wireless medium, and promotes cooperative efforts of sensor nodes [49]. As shown in Figure 2.2, and based on the sensing tasks, different types of applications software can be developed and deployed on the application layer. The transport layer is responsibe for maintaining data flow when required by the sensors and the network layer safeguard routing data from the transport layer. Accordingly, the MAC protocol is power alert and able to reduce collision with neighbour’s broadcast. On the other hand, the physical layer deals with the needs of a simple but strong modulation, transmission and

(26)

15

receiving techniques. In general, the planes assist the sensor nodes to effectively coordinate the sensing function and lower the overall power consumption [49].

Figure 2.2: WSN architecture [49]

2.4 Software Defined Wireless Sensor Networks

In the realm of computer networks, when SDN is applied to solve the issues affecting WSN, it creates a new network model called SDWSN. SDWSN is a new network defined for Low-Rate Wireless Personal Area Networks (LR-WPAN) [50]. It is made of the best approaches which can be used to ensure network efficiency, security and sustainability of WSNs as well as promote interoperability with other networks [51]. Today, considering the importance of WSNs application, it is important that WSN is secured and dependable. However, integrating full security into WSN continues to be a challenging task as compared to security of other networks. This is because there are many restrictions and constraints emanating from sensor nodes such as limited processing power, energy, and storage as well as limited bandwidth in wireless links which are likely to fail [43]. Moreover, sensors are prone to several cyber or physical attacks like falsification of data, DoS and interception of communication [49]. Nevertheless, these attacks are not different from attacks that are common to ad hoc networks but occur on the basis that sensor nodes are neglected. Regardless of these challenges, security remains crucial for sensor networks [49]. By applying SDN to solve WSN challenges resulting to the SDWSN paradigm would certainly enhance the network. Despite this, like other networks, SDWSN is also prone to security challenges and only few research work has been conducted hence there are few solutions to this security challenge.

2.5 Intrusion Detection System

IDS provides a solution to the problem of intrusions that is militating against wireless networks on daily basis. IDSs are systems that guard the entire network assets and they have the ability to find

(27)

16

abnormal behaviours or improper usage and sometimes alerts the administration to take remedial action, an example is a burglar alarms, [25]. IDSs are made to provide the occurrences, method, source, and attack signature of a particular intrusion and execute appropriate responses to thwart the attacks. IDSs are designed to operate as host based or, network based, which forms the main types of lDSs [52]. IDSs have been expressed in several ways for commercial purposes but operate using any of the three methods which includes:

A. Signature based

In this approach, the intrusion detection scans network packets for specific byte sequences (signatures) considered already stored in the attacks databased of the network [52]. Depending on what technique is employed in the identification of the stored signatures, the following names are defined: Rule based, Expert system, State models, String match. However, some commercial signature-based application systems exist such as:

Pattern Matching: This intrusion detector detects known attack patterns which were previously

detected and coded for further reference and action. For example, if an IPv4 packet destined for port 2345 has a signature like 'smash' in its payload, a flag or indicator will be raised immediately and an alarm signalled to the administrator showing the occurrence of an intrusion, [25]. This is the simplest way of detecting intrusions, however it is the most efficient way and it can increase the number of false and missed variants. Accordingly, it operates by packet sniffing and is not very useful in the case of stream-based traffic, [52]. There are different types of pattern-matching such as:

 Stateful pattern matching: An advancement in pattern matching which operates by

decomposing the signature in the data packets into parts. It maintains the packet state

making it relevant for stream-based traffic. Example, for a string 'smash', this stateful pattern matching will divide it into 'sma' 'sh' in consequent packets. It scan the packets and detect them as intrusion, [25].

 Protocol decode-based analysis: This is some sort of addition to the pattern

matching technique [25]. Here, the protocol elements are detected alongside with other known patterns. For each element, it considers variable fields such as number of arguments, length of field and others. Protocol decoding is an example used in limiting the start and end points of a pattern search involving variable fields.

B. Anomaly Based

This type of intrusion detector is designed to scan not only network traffic that differs from models of previous 'normal' network behaviour, but also search for known attacks such as when some

(28)

17

process (e.g. a Trojan) tries to write to a registry. This behaviour is considered not normal and consequently, marked as an anomaly. This detector is found in applications in the following forms:

protocol anomaly and traffic anomaly which is configured to scan for uncommon traffic activities

such as flood of packets and thwarting DoS attacks. Also, it is the statistical anomaly that is configured to recognize statistical baseline normal traffic activity and alerts are provided when differences are identified. Statistical anomaly detection systems are described as behaviour measure intrusion detectors which are categorized into three classes: event count-based, interval-based and resource consumption-based [54].

C. Specification-based

This intrusion detector technique monitors the current behaviour of systems according to laiddown specifications that explain desired functionality for security-critical entities. To this end, any deviation between the current behaviour and the specifications is reported as an attack or intrusion. This process compares predetermined profiles for each protocol state against noticed events to identify variations [52].

2.5.1 IDS Architecture

The IDS architectures are separated into two categories called: the host based and networks based, depending on the techniques used to collect data. The host based IDS looks for information from multiple kinds of log files e.g. kernel, system, application, etc. and it differentiates the log files with the internal database of typical signatures for attacks that are known. The network based IDS operates in total opposite to the host based [53–54]. The idea behind the design of the network based IDS is to search network packets, and audit packets information Giving access to any suspicious packets. Moreover, the IDS architecture can be split according to the detection mechanism. Signature based IDS mainly focuses on finding an event of predefined signatures behaviours that are the same as a previously known attack or that indicates an attack. The anomaly based IDS look for any behaviour that deviates from the predefined or accepted model of behaviour. Brutch and Ko, came with another type called specification based IDS which, explains a set of constraints that are expressive of a program’s correct operation.

(29)

18

Figure 2.3: Logical IDS component [52]

Although, all IDSs have the same basic modules or stages as shown in Figure 2.4 they are, however, different for different network:

Parameterization: Where observed instances of the selected system are represented in a

pre-established form.

Training stage: The behaviour of the system (normal or abnormal) is classified and a correlating

model is built. It can be done in many ways either automatically or manually according to the network IDS considered.

Detection stage: Employs the system model by comparing the observed traffic. If the deviation is

beyond or below a certain limitation, an alarm will be raised to indicate the presence of intrusion.

(30)

19 2.5.2 Types of IDS

There are basically two types of IDS depending on how they monitor activities. They include host-based and network-host-based.

(i) Network-based IDS: Network IDS (NIDS) is an alert component of the network and it can be deployed either inside or outside the firewall or at the limits of the system. It can also be found on devices that are connected to an element of an organization’s network and it scans for any intrusion [54]. The IDS scans packets when it looks for attacks and is placed in an area in the network where it can easily evaluate traffic that is entering and leaving a certain network through using TCP/IP stack. NIDS scans for invalid data packets when it is in the process of protocol stack verification [52].

(ii) Host-based IDS: Host IDS is a monitor designed only for the host computer, and found at business critical hosts and external servers to watch events on that system. HIDS can benchmark and monitor the status of main system files and reports when an intruder tries to manipulate the files. Most of the HIDSs function on principle of configuration or change management and are considered efficient on host system, where the encrypted traffic will be decrypted and made for processing [52], [54]. These components are often logical and software-based such as traffic collector, analysis engine, signature database and user interface and reporting.

2.5.3 Benefits of using Intrusion Detection System

There are other security measures to protect the network, such as firewall, cryptography, antivirus programs, etc. However, not all can offer full protection from both intrusions which are within and outside the defence perimeter. But with IDS, protection from any direction can be ensured [54]. That is, IDS is important because other security mechanisms/techniques such as cryptography are not capable of offering enough required level of security [54]. For example, cryptographic technique can only provide security against specific types of attacks from external intrusions but will not be able to provide security against inside intrusions, which already have the required cryptographic keys. Therefore, intrusion detection mechanisms are important to detect all forms of intrusions in a system or network.

(31)

20

Table 2.1 SDN Security challenges and countermeasures

Algorithm name Security aspect Techniques Used Summary “Novel mechanism for resilience to failures in SDN” [55] Scaling a man-in-middle attack among switch and the SDN controller

Controller replication This is a new mechanism implemented as resilience to network failures in the SDN. Developed the component to enhance resilience in NOX that uses its component organization. Moreover, a Primary-Backup method was introduced to enhance the resilience of the SDN.

“SDN-based DDoS blocking scheme” [56] DoS/DDoS attack specifically on the controller DDoS Blocking Application

The DDoS blocking scheme is used to protect message exchange among the DDoS blocking application that executes on the controller as well as the server in SDN-managed network. However, every other interactions are carried out in the interfaces of the standard OpenFlow.

“Virtual source Address Validation Edge (VAVE)” [57]

Launching a DoS attack aim at overwhelming the the Flow Table and Flow Buffer Integration of Validation mechanism with OpenFlow/NOX architecture.

Highlights the important limitations of the SAVI such that bound addresses one of SAVI is still forgable making it difficult for SAVI to be trusted and deployed. However, the problem can be mitigated via a solution called VAVE.

“Flover “[58] Security rules and configuration

conflicts

Flow Verification Proposed a novel approach of modelling OpenFlow flow tables using Yices SMT solver which whether non-bypass property are violated. In addition, a prototype known as the flow verification tool (FLOVER) was developed. It transforms a given flow table into a series of Yices assertions as well as checking for any inconsistency based on the prevailing security policy of the network.

“NICE” [59] Illegal access automating the testing of Open-Flow applications

implemented a tool called NICE which automate the testing of OpenFlow applications using a combination of both model checking and concolic execution. The tool is to expidite the exploration of the state space of the original programs of the controller meant for NOX platform. “DISCO” [60] A distributed multi-controllers-based threats

DISCO for WAN control plane and overlay networks

Also developed what was called DISCO (DIstributed SDN COntrol plane) for Wireless Area Network (WAN) and overlay networks considered to be guarded. DISCO is organized in a per domain manner, where an individual controller is responsible for specific SDN domain. Additionally, it also proffers a simple and highly practicable channel between controllers.

2.6 Software Defined Networks Security Challenges

2.6.1 Main SDN security challenges

SDN does not have a reliable security mechanism such as authentication and authorization at the controller and application level which makes it difficult to give several parties access to the network resource while providing protection to the network at the same time [29]. Also, there are several attacks targeted at the SDN, for example, DoS attack. Accordingly, there are new DoS attacks that fingerprint network and launch more efficient resource consumption attacks - DDoS. Moreover, due to the existence of open interfaces and known protocols that simplify network programming, it is

(32)

21

easier for intruders or attackers to enter and manipulate the network. Having the knowledge of network control and access to the controller, the operation of the network can be fast and easily be subverted to the benefit of the attacker [29]. Also, the OpenFlow architecture of SDN is known for trust issues on OpenFlow applications because third party development is involved [14]. In general, SDN security vulnerabilities are as a result of the absence of the integration of existing security technologies and the inability to poke around every packet [61]. Chen et al. also highlights several security challenges affecting the SDN such as forged or fake traffic flows, attack switch vulnerabilities, attack control plane communications, attack controller vulnerabilities and the lack of trust management between applications and controller [62].

2.7 Wireless Sensor Networks Security Challenges

In the realm of WSNs, security threats and attacks are inevitable. Like other networks, WSNs are also vulnerable to security attacks and it is associated with many security challenges [4–6]. One of those threats that are prominent in the network is spoofing. The attack has the ability to manipulate network routing information, collect passive information, subvert nodes and perform several attacks such as sinkhole, Sybil, DoS and jamming [8]. However, data authentication, data confidentiality, data integrity, availability and redundancy are very important security requirements of WSN that are needed to protect any WSN system or application.

In particular, security has become a challenging problem in WSN because of its widespread applicability including battlefield, surveillance, building monitoring and in critical systems such as airports and hospitals. To secure the information sent between sensor nodes and Base Station (BS), the security goal of confidentially is indispensable. This is crucial to avoid eavesdropping by attackers. It is important for sensor nodes and BS to have the ability to check the authenticity of received data and also of the nodes involved in the communication. Hence it is important to have trust establishing mechanism. False data can manipulate the predictability of the whole network and compromise the integrity of the data. Thus, it is important for data to be protected from being altered and that correct data must at the end reach the end user. One of the reason WSNs are vulnerable to security attacks is that they communicate closely with physical environment and people. To this end, the security mechanisms currently being used are not sufficient to deal with limitation and complexities faced by WSNs. The critical security challenges in WSNs is protecting it from eavesdropping and tampering.

(33)

22 2.7.1 Major WSN Security Challenges

WSNs have several attributes that make them to be incapable of mitigating several security attacks in threatening environments like the battlefield in the perspective of the military [63]. They include:

 In WSN, wireless node can be accessed by everyone. Anyone can participate in an interaction because configuration of radio interface is made at a constant frequency band for communication. This gives attackers the advantage to break into WSN.

 Several protocols in WSN are open and attackers can time to time launch attacks by using the vulnerabilities in open protocols.

 Because of some resource constraints, it becomes difficult to execute security models on sensor environment because some of these algorithms are complex.

 WSNs are usually placed in hostile areas without a proper infrastructure and this poses threats to them. This is due to the difficulty of installing constant surveillance after network deployment. Moreover, Chen et al. [64] summarizes other security challenges in WSN and are as follows:

 Decreasing the consumption of resources and bettering security.

 Sensor networks are likely to be attacked by threats like passive eavesdropping, active interfering etc.

 During the process of inter-networking, there is end-to-end information transfer which applies immediately.

 The traditional wired-based security schemes becomes inept by wireless communication characteristics.

 Network topology is declared to be dynamic because of the addition and failure of nodes.

2.7.2 WSN Possible Attacks

Security attacks that dominate the WSNs world can be grouped into the following techniques: node compromising, passive attack, active attack, external attack and internal attack. In a study made by Du and Chen, attacks that have high chances of attacking were reported; that can be targeted on sensor time synchronization. These attacks include replay, message manipulation, masquerade and delay. Some of the attacks discussed are the node subversion, collection information, false node, and malicious data. Others are the Sybil, sinkhole attacks and Wormholes. The study also discussed several countermeasures for some of these threats.

1. Attack techniques: Several techniques are used by intruders to launch attacks on WSN due to the known protocols. This can be done by eavesdropping on packets that are being transmitted. In this instance, false packets can be used to cause confusion. Additionally, received packets can also be modified before being sent.

(34)

23

2. Node compromisation: This attack is made of one of the deadliest malicious attacks that usually attack WSN. This attack utilises the fact that sensor networks are placed in environments that are hostile where there is no constant monitoring.

3. Passive versus active attack: In passive attack, crucial security information can be taken

unknowingly in WSN. The intruder can remain silent so that it can easily eavesdrop the network traffic in order to steal important information in the network like traffic data in which analysis can be performed upon to get secret information [63]. Passive attack is a very treacherous type of attack since it does not leave any traces after it has taken place. The effects of active attack is more dangerous as compared to that of passive attack.

4. External versus internal attack: External attacks come from the environment that is external to the network. It can be done by eavesdropping or via inserting of compromised flows into the network with the ability to consume processing and energy. Additionally, internal attacks are made by nodes thought to be genuine but that will behave in unknown ways.

5. Group communication attacks: Cheikhrouhou discusses attacks on WSN that emerge from group communication. WSNs are vulnerable to several attacks in this form of attack as a result of inherited features of networks. Some of the group communication attacks are explained and are summarized as follows:

a) Impersonation attack: This attack functions by pretending to be one of the group members for it to gain access or make malicious act in the group. In terms of WSN, the intruder can gain interaction with other nodes or launch attacks on behalf of the node. b) Injecting false message: False or fake data can be injected into the node to interrupt their

operation.

c) Eavesdropping: This is another participant attacker in a group communication which steals transmitted messages. This suggests that information in important applications like healthcare, military operations is to be kept secret.

d) DoS attack: This attacker tries to deny a group from operating by attacking. DoS attacks can be launched by either an insider or outsider by sending fake group leave requests on behalf of other members.

2.8 Software Defined Wireless Sensor Networks Security Challenges

Security in SDWSN is still at an early stage and much work has not been done in it. Literature shows that much work has been done is both SDN and WSN and security solutions were published however some of these solutions can be applied in SDWSN but some cannot. The controller is the one that is mostly attacked because it poses as a single point of failure in the network. DoS is among one of the attackers that are likely to threaten SDN-based wireless networks. There are mechanisms

(35)

24

that have been put in place to try to mitigate attacks in SDWSN but they have not completely mitigated them [17].

The crucial advantage of the SDWSN is that it integrates security of the network with its ability of redirecting or filtering traffic flows according to packet contents or network states. Additionally, the split of control plane and data plane gives some advantages and also brings more risks which makes the paradigm to become prone to attacks as compared to the traditional networks. Security requirement, shown in Table 2.2, can be affected severely by the separation of planes in SDN.

Table 2.2. Security Requirements of SDN [32]

Requirement _Description

Confidentiality Stop information access by third parties that are unauthorized. Integrity Safegurd information from being modified by attackers. Make sure

that authorised users get access to resources.

Authenticity Entities are secured so that they can be the ones they claim to be. Authorization Give only legitimate users access to resources.

Nonrepudiation Users won’t deny the tasks they have done.

Consistency Make sure that the flows rules that are defined by different applications do not deviate.

Fast

responsiveness

Security events should be in real time.

Adaptation To take care of user mobility and dynamic network conditions.

As the researcher stated that some of the threats faced in SDWSN are inherited from both SDN and WSN. Table 2.3 as analysed by He et al. proposes a list and summary of these security threats which are inherent in SDN [20].

 Forged or faked traffic flows: Forwarding devices and controller are the ones mostly vulnerable to this attack. The intruder can launch a DoS attack to shatter the forwarding devices and controller resources. This attack can be mitigated by the authentication technique.

 Attacks on forwarding devices: This attack can confuse the entire network. In this instance a forwarding device can be utilised to manipulate network traffic.

 Attacks on the controller: This is the most dangerous attack on the network because once the controller is attacked, it could compromise the whole network.

Intrusion detection system in software defined wireless sensor networks